Service Principal Name Scanning Active Directory

Dropping these notes here as a reminder for myself and might be useful for you: Scanning for services within Active Directory is best done utilising existing functionality to avoid detection. This is best achieved through Service Principal Names. Sean created a resource page of useful SPNs: His Active Directory recon code is here. And this is a talk given by Sean earlier this year entitled: Red vs. Blue: Modern Active Directory Attacks & Defense

Command and Control Using Powershell and Twitter

Initially I wanted to update and extend @obscuresec‘s Powershell Twitter Bot, the problem is this was written in early 2013 and relied on Twitter’s API 1 which required no authentication. The current Twitter API 1.1 does require authentication and encryption and although doable from the perspective of Powershell, the code is far too verbose for my purposes. With these hurdles I took a closer look at the modus operandi of the Russian criminal group using Hammertos and they avoided using the API and had the code simply reach out to the URL of the Twitter handle and look for a hashtag. I though this Read More

Raphael Mudge’s Advanced Threat Tactics Course

Going through Raphael Mudge’s Advanced Threat Tactics Course videos and blog post is akin to rummaging through treasure. Although this is a showcase for Cobalt Strike which is a *must have* tool for IT security Red Team operations and Adversary Simulation, it is so much more. For me, this course catapulted and solidified my thinking and is the pre-eminent single source of information for not only the tools of advanced threat simulation, but the underlying methodology and tradecraft. I’ll make no bones about it, I consider Cobalt Strike a masterpiece put together by a craftsman, and In case you think I’m going overboard, harmj0y described Read More

Powershell Remote Access Trojan – PoshRat

I’ve been going through @nikhil_mitt‘s 5-part blog series on Powershell Shells. It’s beautifully and meticulously laid out and covers: Day 1 – Interactive PowerShell shells over TCP (Click here) Day 2 – Interactive PowerShell shells over UDP (Click Here) Day 3 – Interactive PowerShell shells over HTTP/HTTPS (Click Here) Day 4 – Interactive PowerShell shells with WMI (Click Here) Day 5 – Interactive PowerShell shells over ICMP and DNS (Click Here) Nikhil is the author of offensive security Powershell tools Nishang and Kautilya and his blog post series is ideal if you want to roll up your sleeves and play with these tools manually, Read More

Powershell Tools for IT Security Operations

In truth I simply needed a place to store and sort all of the Powershell tools I find and thought it might be of use for others: PowerShell Empire – Pure PowerShell post-exploitation agent. Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. Powertools – A collection of PowerShell projects with a focus on offensive operations. This contains both PowerUp (tool to assist with Read More

Tool agnostic fundamentals for Red Team operations

It was so tempting to call this post “Moving beyond Metrepeter” as the below video entitled Flying a Cylon Raider features Raphael Mudge talking about taking our knowledge of Meterpreter and mapping this to new tools. Quite coincidently – and before this talk was published – I asked Raphael the following: @armitagehacker I've been going thru comparing Tradecraft 2013 to 2015. With all the new Powershell developments do we need Metasploit? — Stuart Winter-Tear (@StegoPax) November 13, 2015 Raphael responded today with these salient Tweets: @StegoPax my $.02: red team ops/adv. sims are not pen testing. These activities really require focused toolsets. Those Read More

Criminals increasingly using social media as command-and-control (C2)

A paper entitled: C&C-AS-A-SERVICE: ABUSING THIRD-PARTY WEB SERVICES AS C&C CHANNELS caught my attention yesterday which looks at the growth in criminals leveraging popular web services for Command & Control (C2). The web services cited are: Google Docs, Twitter, Facebook, Microsoft Technet, YouTube, VKontakte, Jaiku, Tumblr, Google+, Yahoo Mail, Gmail, Google Talk, MSN Messenger, Skype, Google Calender So, quite a few options for the criminal as you can see. Why do criminals use Third-party web services for C2? One benefit for the criminal in utilising this strategy is that traffic to these websites looks legitimate, is often encrypted (HTTPS) and will blend in with legitimate use Read More

IT Security Red Team Post Exploitation Methodology

I want to share a talk given by @davidpmcguire and @harmj0y entitled: Passing the Torch Old School Red Teaming New School Tactics. The premise of the talk is to explain their take on Red Team operations and methodology. An important feature of this is the notion of emulation of threat techniques independent of the toolkit. In other words, the ability to use multiple tools, to perform the same function. The important point being that Red Teams do not need to use the exact tools of adversary’s, but can use any means to accomplish the job, as long as the techniques are mirrored. In terms Read More

@TrustedSec Penetration Testers Framework (PTF)

A new framework of pentesting tools has been released by @TrustedSec which I think is a *must have* in your toolkit. Not only are cool tools being added constantly: @stegopax – always adding! — Dave Kennedy (ReL1K) (@HackingDave) November 13, 2015 They are constantly updated every time we run PTF. The tools are beautifully organised for us in intuitive folders: Intelligence-Gathering, Exploitation, Post-Exploitation etc. These are all available to us in the /pentest folder. Many of the tools have “launchers” so no matter where you are in your system you can type the launcher alias such as “setoolkit” and it loads. Installation is a doddle: Read More